Thinking the smart grid as a mesh architecture, and then, by using the sidecar pattern, creating the digital twin for cybersecurity automatically

1. Enabling a Zero Trust Architecture in Smart
Grids through a Digital Twin
Giovanni Paolo Sellitto, Helder Aranha, Massimiliano Masi,
and Tanja Pavleska
massimiliano.masi@gmail.com
DSOGRI, Virtual Conference, September 13, 2021

2. Problem Statement
Smart Grids are complex systems with high variability
Energy communities, Virtual Power Plants, employ a different
set of Distributed Energy Resources (DER)
Operators tend to include prosumers and DERs rather than
exclude them due to interoperability and security reason
And no standard exists yet!
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 2/13

3. Huge attack surface
DERs and households run in potentially different contexts
Messages could be exchanged over public internet. Can PLCs
be exposed (InterNiche critical bug, CVE-2020-25928)
Safety, Availability, Integrity, and Confidentiality control
messages are usually shared in a shared internet cable, where
vulnerabilities of segregation tools can have huge impact on
the grid stability (e.g., VPN)
Protocols not made with security in mind (e.g., 60870,
61850), added at a later stage (IEC 62531)
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 3/13

4. Operation-Aware Design
In such scenario it is paramount to secure the entire system
before it is in production: design the system with security in
mind
Cyberattacks will come, with probability = 1
Consider always Cyber-and-physical security as a cross cutting
concern
From business to device
Syntax and Semantics
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 4/13

5. Our core: SGAM and RMIAS
SGAM support the definition of security
countermeasures during the entire lifecycle of the
Smart Grid
Design the target architecture and start reasoning
over abstract architectural assets to assess its
quality (resilience, security, business continuity
plans)
Threat model it, and simulate its security through
a CyberSecurity Digital Twin
If possible, derive it automatically
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 5/13

6. Supporting Fidelity
A digital twin enjoys the concept of fidelity
How to ensure that the Digital Twin represents the actual
system, since it is highly dynamic (for an ICS)?
How to ensure that the actual system is compliant with the
SGAM model?
How to remain flexible with respect to innovation and new
products?
The proposal
The digital twin as an architectural deliverable
Explore new architectural variants and observe the evolution
of the threat model
Find better business continuity plan and cyber resilience
programs
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 6/13

7. Introducing the control view
We represent our SGAM assets as microservice architecture,
service mesh
Introduce an additional architectural view to SGAM, akin to a
Control Plane (common terminology and concept from TelCo)
Segregation between the information used to control the
system, w.r.t. the information used by the system
Register/De-Register DERs using a proxy pattern
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 7/13

8. The sidecar pattern
We use the well-known sidecar pattern to proxy
the instance of the architectural asset in the
SGAM cube by injecting the information in the
control plane / view
This allows to have a digital twin of the instances
as well, directly mapped from SGAM, inheriting
all the measurements and simulations performed
ex-ante
Reasoning over the SGAM, its cyber-security
digital twin, and drilling down to the control
plane, enables to define, by design, the necessary
authorization processes and rules to attain a Zero
Trust Architecture
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 8/13

9. The Digital Twin: observability
Observability
The control view enables the management of information flows
needed for the dynamic alignment of the Digital Twin and the
Smart Grid. Every new participant that joins the grid is registered
through the sidecar and it is monitored until it gets de-registered
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 9/13

10. Conclusions and future work
We have seen a method to derive a digital twin of the
architecture to evaluate its security before it is deployed, and
a process to keep its instance aligned with the current status
of the Smart Grid, by re-using the concepts of service mesh
Still to be done: implement the process using a reference
implementation, such as ISTIO, by defining the metadata
obtained with the sidecar, and automatically perform the
connection rules defined by the ZTA
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 10/13

11. Input from Attendees / Discussion
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 11/13

12. Thank You
Sellitto et al.: ZTA and DT CC
Massimiliano Masi DSOGRI, Virtual Conference, September 13, 2021 12/13